Seikin
2007-08-02, 15:19
Yes I was encountering a problem with CMD Service initially but after much work I managed to remove that and with it I had thought all malware problms had ended.
However on the immediate following startup I chose to run Spybot to make sure of this, only to find that Many things remained (though CMD Service does appear to be gone.)
The following is part of the log report that Spybot offers me. (I have the full report saved to my desktop.)
--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-839522115-1965331169-725345543-1003\Software\Microsoft\aldd
Banker.FAT: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Helper
Win32.Agent.qt: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-839522115-1965331169-725345543-1003\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com
DoubleClick: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
SystemDoctor2006: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
GoClick: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
ErrorProtector: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
Avenue A, Inc.: Tracking cookie (Internet Explorer: alice chute) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-06 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-06 Includes\DialerC.sbi (*)
2007-05-30 Includes\Hijackers.sbi (*)
2007-06-06 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-06-06 Includes\KeyloggersC.sbi (*)
2007-05-30 Includes\Malware.sbi (*)
2007-06-06 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-06 Includes\PUPSC.sbi (*)
2007-06-06 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-06 Includes\SecurityC.sbi (*)
2007-06-06 Includes\Spybots.sbi (*)
2007-06-06 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-05-16 Includes\Trojans.sbi (*)
2007-06-06 Includes\TrojansC.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB898461)
--- Startup entries list ---
Located: HK_LM:Run, {8CA29AAC-0705-1033-0304-031113020001}
command: "C:\Program Files\Common Files\{8CA29AAC-0705-1033-0304-031113020001}\Update.exe" te-110-12-0000213
file: C:\Program Files\Common Files\{8CA29AAC-0705-1033-0304-031113020001}\Update.exe
size: 14336
MD5: 1e6f57219308256fd8557c7cfbac8355
Located: HK_LM:Run, {8CA29AAC-0706-1033-0304-031113020001}
command: "C:\Program Files\Common Files\{8CA29AAC-0706-1033-0304-031113020001}\Update.exe" te-110-12-0000213
file: C:\Program Files\Common Files\{8CA29AAC-0706-1033-0304-031113020001}\Update.exe
size: 14336
MD5: 1e6f57219308256fd8557c7cfbac8355
Located: HK_LM:Run, AlcxMonitor
command: ALCXMNTR.EXE
file: C:\WINDOWS\ALCXMNTR.EXE
size: 57344
MD5: 7b8875a5b04932ac73afd8079864db68
Located: HK_LM:Run, Motive SmartBridge
command: C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
file: C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
size: 393216
MD5: 7ef6dd82a8f1d94806755a6e9e4c58bc
Located: HK_LM:Run, PAS_Check
command: "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
file: C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
size: 155648
MD5: ce489a84bbb596fba37d8df2b128ccea
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: fa7eb9aff3d726a6bf0494bee7e378f6
Located: HK_LM:Run, SDR6_Check
command: "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
file: C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
size: 163840
MD5: 07b9773cc7c4aa1b04f2983b8b57826e
Located: HK_LM:Run, SfKg6w
command: C:\WINDOWS\nmmse.exe
file: C:\WINDOWS\nmmse.exe
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???
Located: HK_LM:Run, SystemOptimizer
command: rundll32.exe "C:\WINDOWS\System32\ehnypjrp.dll",forkonce
file: C:\WINDOWS\system32\rundll32.exe
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170
Located: HK_LM:Run, WinTouch
command: C:\Program Files\WinTouch\WinTouch.exe
file: C:\Program Files\WinTouch\WinTouch.exe
size: 147968
MD5: c3218d3f71bd62780dc44f54f22cc78d
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1511453
MD5: 1e455b08870d4ac3bb6ab5968603e8af
Located: HK_CU:Run, swg
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: e616a6a6e91b0a86f2f6217cde835ffe
Located: HK_CU:Run, WinPop
command: C:\Program Files\WinPop\winpop.exe
file: C:\Program Files\WinPop\winpop.exe
size: 49152
MD5: 57111181049ea4a2baab8bb5582de754
Located: HK_CU:Run, Yahoo! Pager
command: "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
file: C:\Program Files\Yahoo!\Messenger\ypager.exe
size: 3084288
MD5: 2587308c711214c0e1890157a98e18e8
Located: Startup (common), ALLTEL DSL Check-up Center.lnk
command: C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
file: C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
size: 217088
MD5: 9f603bb59ae0d9f60d0aea44367e6806
Located: Startup (common), hp psc 2000 Series.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
size: 323646
MD5: 76266fcb3ec2e37c7b6477d6ba1e7869
Located: Startup (common), hpoddt01.exe.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
size: 28672
MD5: a564a22308a3f55235ba2478ee82992d
Located: System.ini, byxyyvs
command: byxyyvs.dll
file: byxyyvs.dll
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, vturs
command: C:\WINDOWS\System32\vturs.dll
file: C:\WINDOWS\System32\vturs.dll
size: 228960
MD5: a3fddfbb58210974a992f2fe051b0a1e
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{00D0E786-A9E4-4EC5-82BA-E4E57D285B83} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: byxyyvs.dll
Short name:
Date (created): 7/30/2007 5:05:32 PM
Date (last access): 8/2/2007 8:31:52 AM
Date (last write): 7/30/2007 5:05:32 PM
Filesize: 31254
Attributes: archive
MD5: A024BD7011396E08DB1EF0D808ACF541
CRC32: A92BED92
{041A41D1-8100-454e-86F2-6BB713EF5F71} (H)
BHO name:
CLSID name: H
Path:
Long name: skiedx1.dll
{1390DE6D-108A-1E57-F641-19E34C90FAED} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: fce.dll
Short name:
Date (created): 4/17/2007 7:57:28 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 3/19/2007 2:30:06 PM
Filesize: 60928
Attributes: archive
MD5: D0DE0C8BB928A9E2E921BB3943F14E8B
CRC32: 6A19CE35
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 6/9/2007 5:16:26 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (UberButton Class)
BHO name:
CLSID name: UberButton Class
Path: C:\Program Files\Yahoo!\Common\
Long name: yiesrvc.dll
Short name:
Date (created): 9/25/2005 8:32:54 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 5/26/2005 11:38:44 AM
Filesize: 181352
Attributes: archive
MD5: 3105430A206291D7F8768F6CD6F3C3BD
CRC32: 28147C76
Version: 2005.5.26.1
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} (YahooTaggedBM Class)
BHO name:
CLSID name: YahooTaggedBM Class
Path: C:\Program Files\Yahoo!\Common\
Long name: YIeTagBm.dll
Short name:
Date (created): 9/25/2005 8:32:54 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 1/24/2005 9:55:32 AM
Filesize: 115832
Attributes: archive
MD5: A7DFD7463C4AC34309D2304546D7A96A
CRC32: E2DA49AB
Version: 2005.1.24.1
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar4.dll
Short name: GOOGLE~4.DLL
Date (created): 1/27/2007 5:40:20 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 1/20/2007 12:55:32 AM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\
Long name: swg.dll
Short name:
Date (created): 7/15/2007 7:53:56 PM
Date (last access): 8/2/2007 8:31:52 AM
Date (last write): 7/15/2007 7:53:56 PM
Filesize: 325048
Attributes: archive
MD5: 1DC47CA76A0FFEAA25B45DE5706F2115
CRC32: E2052360
Version: 2.0.301.7164
{BBFAA113-E750-4A18-8365-9C2C5F10057F} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: vturs.dll
Short name:
Date (created): 7/30/2007 5:10:34 PM
Date (last access): 8/2/2007 8:31:56 AM
Date (last write): 7/30/2007 5:10:36 PM
Filesize: 228960
Attributes: archive
MD5: A3FDDFBB58210974A992F2FE051B0A1E
CRC32: E8A069F3
{C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: iuiqsbxv.dll
Short name:
Date (created): 8/1/2007 5:55:32 PM
Date (last access): 8/2/2007 8:34:54 AM
Date (last write): 8/1/2007 5:55:32 PM
Filesize: 69184
Attributes: archive
MD5: 4CD3244F796472F7F4F3F3E7FEB78A49
CRC32: A8340C88
{CA356D79-679B-4b4c-8E49-5AF97014F4C1} ()
BHO name:
CLSID name:
{E71B0834-C884-E453-F7D8-C3DECEB20ABD} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: azsav.dll
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 2/20/2007 7:02:50 PM
Date (last access): 8/2/2007 9:05:58 AM
Date (last write): 2/20/2007 7:02:50 PM
Filesize: 562760
Attributes: archive
MD5: AADAA7AE58BFB72CC5EBC7A8BC5AA95D
CRC32: 2055A4F6
Version: 7.1.5.58
{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M2808NetInstaller.inf
Codebase: http://cdn.drivecleaner.com/installdrivecleanerstart.cab
{321FB770-1FBE-4BFE-BDC1-6F622D4FA499} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WebflowActiveXInstaller_DSR.inf
Codebase: https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MSNPupld.inf
Codebase: http://by138fd.bay138.hotmail.msn.com/resources/MsnPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 10/8/2004 4:01:22 PM
Date (last access): 8/2/2007 9:05:58 AM
Date (last write): 10/8/2004 4:01:22 PM
Filesize: 372736
Attributes: archive
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 10.0.910.0
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9.ocx
Short name:
Date (created): 6/22/2006 1:44:22 PM
Date (last access): 8/2/2007 8:34:32 AM
Date (last write): 6/22/2006 1:44:22 PM
Filesize: 2201224
Attributes: readonly archive
MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
CRC32: B7385E3B
Version: 9.0.16.0
However on the immediate following startup I chose to run Spybot to make sure of this, only to find that Many things remained (though CMD Service does appear to be gone.)
The following is part of the log report that Spybot offers me. (I have the full report saved to my desktop.)
--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-839522115-1965331169-725345543-1003\Software\Microsoft\aldd
Banker.FAT: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Helper
Win32.Agent.qt: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-839522115-1965331169-725345543-1003\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com
DoubleClick: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
SystemDoctor2006: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
GoClick: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
ErrorProtector: Tracking cookie (Internet Explorer: alice chute) (Cookie, fixed)
Avenue A, Inc.: Tracking cookie (Internet Explorer: alice chute) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-06 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-06 Includes\DialerC.sbi (*)
2007-05-30 Includes\Hijackers.sbi (*)
2007-06-06 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-06-06 Includes\KeyloggersC.sbi (*)
2007-05-30 Includes\Malware.sbi (*)
2007-06-06 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-06 Includes\PUPSC.sbi (*)
2007-06-06 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-06 Includes\SecurityC.sbi (*)
2007-06-06 Includes\Spybots.sbi (*)
2007-06-06 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-05-16 Includes\Trojans.sbi (*)
2007-06-06 Includes\TrojansC.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB898461)
--- Startup entries list ---
Located: HK_LM:Run, {8CA29AAC-0705-1033-0304-031113020001}
command: "C:\Program Files\Common Files\{8CA29AAC-0705-1033-0304-031113020001}\Update.exe" te-110-12-0000213
file: C:\Program Files\Common Files\{8CA29AAC-0705-1033-0304-031113020001}\Update.exe
size: 14336
MD5: 1e6f57219308256fd8557c7cfbac8355
Located: HK_LM:Run, {8CA29AAC-0706-1033-0304-031113020001}
command: "C:\Program Files\Common Files\{8CA29AAC-0706-1033-0304-031113020001}\Update.exe" te-110-12-0000213
file: C:\Program Files\Common Files\{8CA29AAC-0706-1033-0304-031113020001}\Update.exe
size: 14336
MD5: 1e6f57219308256fd8557c7cfbac8355
Located: HK_LM:Run, AlcxMonitor
command: ALCXMNTR.EXE
file: C:\WINDOWS\ALCXMNTR.EXE
size: 57344
MD5: 7b8875a5b04932ac73afd8079864db68
Located: HK_LM:Run, Motive SmartBridge
command: C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
file: C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
size: 393216
MD5: 7ef6dd82a8f1d94806755a6e9e4c58bc
Located: HK_LM:Run, PAS_Check
command: "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
file: C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
size: 155648
MD5: ce489a84bbb596fba37d8df2b128ccea
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: fa7eb9aff3d726a6bf0494bee7e378f6
Located: HK_LM:Run, SDR6_Check
command: "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
file: C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
size: 163840
MD5: 07b9773cc7c4aa1b04f2983b8b57826e
Located: HK_LM:Run, SfKg6w
command: C:\WINDOWS\nmmse.exe
file: C:\WINDOWS\nmmse.exe
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???
Located: HK_LM:Run, SystemOptimizer
command: rundll32.exe "C:\WINDOWS\System32\ehnypjrp.dll",forkonce
file: C:\WINDOWS\system32\rundll32.exe
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170
Located: HK_LM:Run, WinTouch
command: C:\Program Files\WinTouch\WinTouch.exe
file: C:\Program Files\WinTouch\WinTouch.exe
size: 147968
MD5: c3218d3f71bd62780dc44f54f22cc78d
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1511453
MD5: 1e455b08870d4ac3bb6ab5968603e8af
Located: HK_CU:Run, swg
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: e616a6a6e91b0a86f2f6217cde835ffe
Located: HK_CU:Run, WinPop
command: C:\Program Files\WinPop\winpop.exe
file: C:\Program Files\WinPop\winpop.exe
size: 49152
MD5: 57111181049ea4a2baab8bb5582de754
Located: HK_CU:Run, Yahoo! Pager
command: "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
file: C:\Program Files\Yahoo!\Messenger\ypager.exe
size: 3084288
MD5: 2587308c711214c0e1890157a98e18e8
Located: Startup (common), ALLTEL DSL Check-up Center.lnk
command: C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
file: C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
size: 217088
MD5: 9f603bb59ae0d9f60d0aea44367e6806
Located: Startup (common), hp psc 2000 Series.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
size: 323646
MD5: 76266fcb3ec2e37c7b6477d6ba1e7869
Located: Startup (common), hpoddt01.exe.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
size: 28672
MD5: a564a22308a3f55235ba2478ee82992d
Located: System.ini, byxyyvs
command: byxyyvs.dll
file: byxyyvs.dll
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, vturs
command: C:\WINDOWS\System32\vturs.dll
file: C:\WINDOWS\System32\vturs.dll
size: 228960
MD5: a3fddfbb58210974a992f2fe051b0a1e
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{00D0E786-A9E4-4EC5-82BA-E4E57D285B83} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: byxyyvs.dll
Short name:
Date (created): 7/30/2007 5:05:32 PM
Date (last access): 8/2/2007 8:31:52 AM
Date (last write): 7/30/2007 5:05:32 PM
Filesize: 31254
Attributes: archive
MD5: A024BD7011396E08DB1EF0D808ACF541
CRC32: A92BED92
{041A41D1-8100-454e-86F2-6BB713EF5F71} (H)
BHO name:
CLSID name: H
Path:
Long name: skiedx1.dll
{1390DE6D-108A-1E57-F641-19E34C90FAED} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: fce.dll
Short name:
Date (created): 4/17/2007 7:57:28 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 3/19/2007 2:30:06 PM
Filesize: 60928
Attributes: archive
MD5: D0DE0C8BB928A9E2E921BB3943F14E8B
CRC32: 6A19CE35
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 6/9/2007 5:16:26 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (UberButton Class)
BHO name:
CLSID name: UberButton Class
Path: C:\Program Files\Yahoo!\Common\
Long name: yiesrvc.dll
Short name:
Date (created): 9/25/2005 8:32:54 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 5/26/2005 11:38:44 AM
Filesize: 181352
Attributes: archive
MD5: 3105430A206291D7F8768F6CD6F3C3BD
CRC32: 28147C76
Version: 2005.5.26.1
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} (YahooTaggedBM Class)
BHO name:
CLSID name: YahooTaggedBM Class
Path: C:\Program Files\Yahoo!\Common\
Long name: YIeTagBm.dll
Short name:
Date (created): 9/25/2005 8:32:54 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 1/24/2005 9:55:32 AM
Filesize: 115832
Attributes: archive
MD5: A7DFD7463C4AC34309D2304546D7A96A
CRC32: E2DA49AB
Version: 2005.1.24.1
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar4.dll
Short name: GOOGLE~4.DLL
Date (created): 1/27/2007 5:40:20 PM
Date (last access): 8/2/2007 8:34:50 AM
Date (last write): 1/20/2007 12:55:32 AM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\
Long name: swg.dll
Short name:
Date (created): 7/15/2007 7:53:56 PM
Date (last access): 8/2/2007 8:31:52 AM
Date (last write): 7/15/2007 7:53:56 PM
Filesize: 325048
Attributes: archive
MD5: 1DC47CA76A0FFEAA25B45DE5706F2115
CRC32: E2052360
Version: 2.0.301.7164
{BBFAA113-E750-4A18-8365-9C2C5F10057F} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: vturs.dll
Short name:
Date (created): 7/30/2007 5:10:34 PM
Date (last access): 8/2/2007 8:31:56 AM
Date (last write): 7/30/2007 5:10:36 PM
Filesize: 228960
Attributes: archive
MD5: A3FDDFBB58210974A992F2FE051B0A1E
CRC32: E8A069F3
{C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: iuiqsbxv.dll
Short name:
Date (created): 8/1/2007 5:55:32 PM
Date (last access): 8/2/2007 8:34:54 AM
Date (last write): 8/1/2007 5:55:32 PM
Filesize: 69184
Attributes: archive
MD5: 4CD3244F796472F7F4F3F3E7FEB78A49
CRC32: A8340C88
{CA356D79-679B-4b4c-8E49-5AF97014F4C1} ()
BHO name:
CLSID name:
{E71B0834-C884-E453-F7D8-C3DECEB20ABD} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: azsav.dll
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 2/20/2007 7:02:50 PM
Date (last access): 8/2/2007 9:05:58 AM
Date (last write): 2/20/2007 7:02:50 PM
Filesize: 562760
Attributes: archive
MD5: AADAA7AE58BFB72CC5EBC7A8BC5AA95D
CRC32: 2055A4F6
Version: 7.1.5.58
{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M2808NetInstaller.inf
Codebase: http://cdn.drivecleaner.com/installdrivecleanerstart.cab
{321FB770-1FBE-4BFE-BDC1-6F622D4FA499} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WebflowActiveXInstaller_DSR.inf
Codebase: https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MSNPupld.inf
Codebase: http://by138fd.bay138.hotmail.msn.com/resources/MsnPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 10/8/2004 4:01:22 PM
Date (last access): 8/2/2007 9:05:58 AM
Date (last write): 10/8/2004 4:01:22 PM
Filesize: 372736
Attributes: archive
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 10.0.910.0
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9.ocx
Short name:
Date (created): 6/22/2006 1:44:22 PM
Date (last access): 8/2/2007 8:34:32 AM
Date (last write): 6/22/2006 1:44:22 PM
Filesize: 2201224
Attributes: readonly archive
MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
CRC32: B7385E3B
Version: 9.0.16.0